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CLAIMS 



1 . A metilod of obtaining proof of group membership in a computer system, com- 
prising the steps of: 

A. presenting by a requester to an on-line server associated with a group a request 
for a certificate certifying that a particular entity is a member of the group; 

B. dete^ining by the server whether the entity is a member of the group; and 

C. issuiiig by the server a group membership certificate to the requester if the 
serve " determines that the entity is a member of the group. 

2. A met^'4c of obtaining proof of group non-membership in a computer sv^^tem.. 
comprising the st tps of: 

A. presenting by a requester to an on-line server associated v^th a group a request 
for a certificate certifying that a particular entity is not a member of the group; 

B. determining by the server whether the entity is not a member of the group; and 

C. issuinglby the server a group non-membership certificate to the requester if the 
server determines that the entity is not a member of the group. 



3. A method fir determining entity membership in a group, wherein a server associ- 
ated vsath the group performs the step of making a dynamic decision on membership in 
the group of a partiqular entity. 

4. The method bf claim 3, wherein the dynamic decision-making step includes ob- 
taining by the serven proof of entity membership in a second group. 



5. The method of claim 4, wherein the proof of entity membership comprises a 
group membership certificate. 
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6. The m sthod of claim 4, wherein the proof of entity membership comprises a 
group membe ship list. 

7. The memod of claim 3, wherein the dynamic decision-making step includes ob- 



taining by the s 



8. The method of claim 7, wherein the proof of entity non-membership comprises a 
group non-membership certificate. 



9. The metliiod 
group members! 



irver proof of entity non-membership in a second group. 



of claim 7, wherein the proof of entity non-membership comprises a 
ip list. 



10. The method of claim 3, wherein the server performs the step of making a dynamic 
decision upon a request from a requester, and wherein the requester performs the step of 
presenting to the ierver proof of entity membership in a second group. 



1 1 . The methodl of claim 10, wherein the proof of entity membership comprises a 
group membershiplcertificate. 

12. The method pf claim 10, wherein the proof of entity membership comprises a 
group membership list. 

13. The method oF claim 3, wherein the server performs the step of making a dynamic 
decision upon a request from a requester, and wherein the requester performs the step of 
presenting to the serven proof of entity non-membership in a second group. 



14. The method of claim 13, wherein the proof of entity non-membership comprises a 
group non-membership certificate. 
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1 15. The method of claim 13, wheyein the proof of entity non-membership comprises a 

2 group membership list. 

1 16. A computer system wherein k group membership certificate is issued by an on- 

2 line certification authority upon request. 

1 17. A computer system wherein a group non-membership certificate is issued by an 

2 on-line certification authority upoii request. 

1 18. A computer system wherein a server associated with a group makes a dynamic 

2 decision on membership in the group of a particular entity 

1 19. The system of claim 1 8 yherein the server obtains proof of entity membership in 

2 a second group. 

1 20. The system of claim If wherein the proof of entity membership is a group mem- 

2 bership certificate. 

1 21. The system of claiip 19 wherein the proof of entity membership is a group mem- 

2 bership list. 

1 22. The system of dlaim 1 8 wherein the server obtains proof of entity non- 

2 membership in a second group. 



1 23. The system/of claim 22 wherein the proof of entity non-membership is a group 

2 non-membership Certificate. 

1 24. The syste n of claim 22 wherein the proof of entity non-membership is a group 

2 membership list. 
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1 25. The system of claim 1 8 wherein the sewer makes the dynamic decision on a re- 

2 quest from a requester, and wherein the requester presents to the server proof of entity 

3 membership in a second group. 

1 26. The system of claim 25 wherein tjje proof of entity membership is a group mem- 

2 bership certificate. 

1 27. The system of claim 25 wher^n the proof of entity membership is a group mem- 

2 bership list. 



1 28. The system of claim 1 8 wHerein the server makes the dynamic decision on a re- 

2 quest from a requester, and wherein the requester presents to the server proof of entity 

3 non-membership in a second group. 



1 29. The system of claim ^8 wherein the proof of entity non-membership is a group 

2 non-membership certificate 



1 30. The system of cjoim 28 wherein the proof of entity non-membership is a group 

2 membership list. 



1 31. A method oi operating an on-line server on a computer network, said server asso- 

2 ciated with a group and performing the steps of: 

A. receiving a request from a network device for proof of membership of a client 
in thfe group; 

B. maxing a dynamic decision on whether the client is a member of the group; 
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C. issuing to the network device, if the server decides that the client is a member 
of the group, a group membership certificate proving that the client is a mem- 
ber of the group! 



32. The method of claim B 1 wherein the network device is the client, said client sub- 
sequently presenting to a resource server a request for access to a resource on the resource 
server, said request including the group membership certificate. 



33. The method of claim 
a request from a client seeking 
server validating the group membership 
resource. 



34. A method of operating 



wherein the network device is a resource server receiving 
access to a resource on the resource server, said resource 
rtificate and authorizing client access to the 



; an on-line server on a computer network, said server asso- 
ciated with a group and perforr ling the steps of: 

A. receiving a request ^om a network device for proof of membership of a client 
in the group; 

B. making a dynamic dd|pision on whether the client is a member of the group; 
and 

C. issuing to the network kievice, if the server decides that the client is a member 
of the group, a group n:\embership list proving that the client is a member of 
the group. 



35. The method of claim 34 wheiein the network device is the client, said client sub- 
sequently presenting to a resource seA^er a request for access to a resource on the resource 
server, said request including the group membership list. 
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36. The method of claim 34 whefrein the network device is a resource server receiving 
a request from a client seeking access to a resource on the resource server, said resource 
server validating the group membership Ust and authorizing client access to the resource. 



^3^ A method of operating an in-line server on a computer network, said server asso- 
ciated with a group and performirjg the steps of: 

A. receiving a request frcpn a network device for proof of non-membership of a 
client in the group; 

B. making a dynamic djbcision on whether the client is not a member of the 
group; and 

C. issuing to the netv/ork device, if the server decides that the client is not a 
member of the griup, a group non-membership certificate proving that the cli- 
ent is not a memper of the group. 



J1 



3^. The method of claim >8 wherein the network device is the client, said client sub- 
sequently presenting to a ^source server a request for access to a resource on the resource 
server, said request incluaing the group non-membership certificate. 

^4Q. The method of claim 5^ wherein the network device is a resource server receiving 
a request from a client seeking access to a resource on the resource server, said resource 
server validating the g^up non-membership certificate and authorizing client access to 
the resource. 

^4^. A method of bperating an on-line server on a computer network, said server asso- 
ciated with a group and performing the steps of: 

A. receiving a request from a network device for proof of non-membership of a 
client in the group; 

B. making a dynamic decision on whether the client is not a member of the 
group;! and 
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C. issuing to the natwork device, if the server decides that the client is not a 
member of the a"oup, a group membership Ust proving that the client is not a 
member of the gi(oup. 

The method of claim^l wherein the network device is the client, said client sub- 
sequently presenting to a resoiirce server a request for access to a resource on the resource 
server, said request including Ihe group membership list. 

43^ The method of claim -^ 1 wherein the network device is a resource server receiving 
a request from a client seeking access to a resource on the resource server, said resource 
server validating the g^oup m jmbership list and authorizing client access to the resource. 



.0 



computer network, said server associated with a group and 



An on-line server on ; 
comprised of: 

A. means for receivirfg a request from a network device for proof of membership 
•oup; 

a dynamic decision on whether the client is a member of the 



of a client in the g 

B. means for making 
group; and 

C. means for issuing 



is a member of the 



1 o the network device, if the server decides that the client is 
a member of the gioup, a group membership certificate proving that the client 



group. 



The on-line server of c 



aim >^ wherein the network device is the client, said client 
subsequently presenting to a n:source server a request for access to a resource on the re- 
source server, said request including the group membership certificate. 

The on-line server of claim'H^ wherein the network device is a resource server 
receiving a request from a client seeking access to a resource on the resource server, said 
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resource server validating the gr|)up membership certificate and authorizing client access 
to the resource. 

4%. An on-line server on a co nputer network, said server associated with a group and 
comprised of: 

A. means for receiving a request from a network device for proof of membership 
of a client in the grou >; 

B. means for making a d /namic decision on whether the client is a member of the 
group; and 

C. means for issuing to the network device, if the server decides that the client is 
:\ member of the groitp, a group membership list proving that the client is 
member of the group . 



47 I Jjl^ 

The on-line server of claim ^Si^ wherein the network device is the client, said client 
subsequently presenting to a res 3urce server a request for access to a resource on the re- 
source server, said request including the group membership list. 



49^ The on-line server of c^ 
receiving a request from a clien 
resource server validating the g: 



aim 4%^wherein the network device is a resource server 

seeking access to a resource on the resource server, said 
ioup membership list and authorizing client access to the 



resource. 



An on-line server on a 
comprised of: 

A. means for receiving 



ship of a client in the group; 



B. means for making e 
of the group; and 



computer network, said server associated v^th a group and 



a request from a network device for proof of non-member- 



dynamic decision on whether the client is not a member 



1/ 
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C. means for issuing to the network device, if the server decides that the client is 



not a member 



0 



of the group, a group non-membership certificate proving that 



the client is not a member of the group. 



The on-line server of claim^^^wherein the network device is the client, said client 



subsequently presenting 



t ) a resource server a request for access to a resource on the re- 



source server, said reques t including the group non-membership certificate. 



The on-line servefr 
receiving a request from 
resource server validating 
access to the resource. 



of claim ^ wherein the network device is a resource server 
a client seeking access to a resource on the resource server, said 
the group non-membership certificate and authorizing client 



An on-line serve|r 
comprised of: 

A. means for re 
membership 



of the group: 



not a member 



on a computer network, said server associated with a group and 

eiving a request from a network device for proof of non- 
of a client in the group; 



B. means for m aking a dynamic decision on whether the client is not a member 



and 



C. means for issuing to the network device, if the server decides that the client is 




of the group, a group membership list proving that the client is 



not a member of the group. 
The on-line server of claim ^^wherein the network device is the client, said client 



subsequently presenting 
source server, said reque: 



:o a resource server a request for access to a resource on the re- 
including the group membership list. 



The on-line server 
receiving a request from 



.5^ 



of claim 5S wherein the network device is a resource server 



client seeking access to a resource on the resource server, said 
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resource server valic^ting the group membership list and authorizing client access to the 
resource. 



signal embodied in a carrier wave and representing a sequence of 



5^. A computer ds 
instructions that, when executed by a processor in a network device associated with a 
group, configures the network device to operate as an on-line server that: 

A. receives a n quest from a second network device for proof of membership of a 
client in the group; 

B. makes a dynamic decision on whether the client is a member of the group; and 

C. issues to the second network device, if the on-line server decides that the cli- 
ent is a mem ^er of the group, a group membership certificate proving that the 
client is a me mber of the group. 



SSL The computer da;a signal of claim 56 wherein the second network device is the 
client, said client subseq lently presenting to a resource server a request for access to a 
resource on the resource ^erver, said request including the group membership certificate. 

5^ The computer data signal of claim 55^ wherein the second network device is a re- 
source server, said resource server receiving a request from a client seeking access to a 
resource on the resource server, validating the group membership certificate, and author- 
izing client access to the resource. 

^5^. A computer data sigrkl embodied in a carrier wave and representing a sequence of 
instructions that, when executed by a processor in a network device associated with a 
group, configures the networkidevice to operate as an on-line server that: 

A. receives a request ^om a second network device for proof of membership of a 
client in the group; 

B. makes a dynamic dedision on whether the client is a member of the group; and 
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C. issues to the second network device, if the on-line sep^er decides that the cli- 
ent is a member of the group, a group membershij/list proving that the client 
is a member of the group. 

The computer data signal of claim's^wherein the second network device is the 
client, said client subsequently presenting to a resource server a request for access to a 
resource on the resource server, said request incduding the group membership list. 



.5? 



6^ The computer data signal of claim^ wherein the second network device is a re- 
source server, said resource server receiving a request from a client seeking access to a 
resource on the resource server, vali4ating the group mem>ership list, and authorizing 
client access to the resource. 

52. A computer data sign^ embodied in a carrier wave and representing a sequence of 
instructions that, when exeputed by a processor in a network device associated with a 
group, configures the net;)i<^ork device to operate as an on-line server that: 

A. receives a r/quest from a second network device for proof of non-membership 
of a clien/in the group; 

B. makes / dynamic decision on whether the client is not a member of the group; 
and 

C. issues to the second network device, if the on-line server decides that the cli- 
em is not a member of the group, a group non-membership certificate proving 

lat the client is not a member of the group. 

le computer data signal of claim^^ wherein the second network device is the 
client/said client subsequently presenting to a resource server a request for access to a 
resource on the resource server, said request including the group non-membership certifi- 
es 
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*6^S^ The computer data signal of claim ^2^herein th^/^cond network device is a re- 
source server, said resource server receiving a requesbfrom a client seeking access to a 
resource on the resource server, validating the gro^ non-membership certificate, and 
authorizing client access to the resource. 

A computer data signal embodied ifi a carrier wave and representing a sequence of 
instructions that, when executed by a processor in a network device associated with a 
group, configures the network devic©4o operate as an on-line server that: 

A. receives a request from/a second network device for proof of non-membership 
of a client in the grom; 

B. makes a dynamic decision oa whet^^^rr the client is not a member of the group; 
and 

C. issues to the second network device, if the on-line server decides that the cli- 
ent is not a member of the group, a group membership list proving that the cli- 
ent is notya member of the group. 

The commiter data signal of clainv6^ wherein the second network device is the 
client, said client subsequently presenting to a resource server a request for access to a 
resource on the resource server, said request including the group membership list. 

'me computer data signal of claim j6^wherein the second network device is a re- 
sourccyserver, said resource server receiving a request from a client seeking access to a 
resource on the resource server, validating the group membership list, and authorizing 
climt access to the resource. 
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